Patch Tuesday It’s that time of the month again, and Microsoft has released a bumper bundle of security fixes for Patch Tuesday, including one for out-of-support operating systems Windows XP and Server 2003.
Usually support for such aging operating systems costs an arm and a leg, though Redmond has released a freebie because of the serious nature of the critical flaw, assigned CVE-2019-0708, in Remote Desktop Services, or Terminal Services as it was. The vulnerability allows remote code execution with no user involvement or any authentication required, making it a gift to scum looking to spread malware.
Basically, find one of countless vulnerable Windows boxes facing the internet or on a network, and send carefully crafted packets to its remote desktop service, if running, to start executing malicious code on the machine. From there, other computers can be found by scanning IP ranges, and then you've got a proper old school worm on your hands.
“The vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017,” the advisory states, referring to the Windows nasty that used stolen NSA exploits to hijack boxes.
“While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware. It is important that affected systems are patched as quickly as possible to prevent such a scenario from happening. In response, we are taking the unusual step of providing a security update for all customers to protect Windows platforms, including some out-of-support versions of Windows.”
For highly likely, read absolutely certain: a malware propagation method like this is going to be appearing very soon since it’s a low-cost, highly effective way of spamming out ransomware and trojans. Windows 8 and 10 are unaffected, but there’s still a vast pool of older systems out there that could be hit if left unpatched. The affected operating system builds include: Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, and Windows XP.
While you’re patching that, there’s a lot of other stuff to fix in the Patch Tuesday update. In particular there’s fixes out for the information-leaking family of Microarchitectural Data Sampling (MDS) security flaws in Intel processors revealed this week.
Buffer the Intel flayer: Chipzilla, Microsoft, Linux world, etc emit fixes for yet more data-leaking processor flawsREAD MORE
In all Redmond put out fixes for 79 holes, 22 of them critical. Of those, three can be exploited to achieve remote code execution, and they affect GDI+, Word and DHCP Server. The latter, CVE-2019-0725, is a particularly nasty memory corruption vulnerability, since all that is needed to exploit it is a well-crafted packet sent to a DHCP server and affects all currently supported versions of Windows, client and server.
The remaining 18 critical flaws are for scripting engines and browsers, and while all should be patched there’s no evidence as yet that any are being exploited in the wild. Not so for CVE-2019-0863, an elevation of privilege flaw in Windows Error Reporting (WER) deals with files, which Microsoft says is being used by crooks to fully compromise infected machines.
What with it being Patch Tuesday there are other vendors adding their patches in. As is traditional, Adobe dropped 86 flaw fixes, mainly in Reader and Acrobat, and Citrix, too, has one of its own.
That flaw, spotted by researchers at NCC Group, is a logic vulnerability that can be exploited to gain "remote access to a host’s storage via Edge, Internet Explorer, Firefox and Chrome on Microsoft Windows by a malicious Citrix server." Concerned customers should update to the latest builds of Citrix Workspace app, and Citrix Receiver for Windows.
Please make sure you apply all the patches you can as soon as you are able before hackers start targeting them. ®